Configuring delegation control for administrative accounts

If you use a regular domain account (not part of the Domain Admins group) for the administrative account, you need to configure the domain account with the proper rights delegation in the domain controller.

Note:   The delegated permissions configured for the administrative account are not available for some protected groups. See the following for details: https://support.microsoft.com/en-us/help/817433/delegated-permissions-are-not-available-and-inheritance-is-automatical

To enable delegated permissions on the administrative account to manage protected groups, see the additional configuration steps in To configure delegation control in the domain controller for protected group accounts .

To configure delegation control in the domain controller for the administrative account

  1. In the domain controller of the domain, select Administrative Tools > Active Directory Users and Computers.
  2. Right-click the domain with the accounts to be managed and select Delegate Control, and then click Next at the Welcome window.
  3. At Users and Groups, click Add and enter the name of the user you want to configure with the administrative account (with unlock and password reset permissions) and click OK.
  4. In Task to Delegate, select Create a custom task to delegate and click Next.
  5. In Active Directory Object Type, select Only the following objects in the folder, and select User objects and then click Next.
  6. In Permissions, select the following:
    • General and Reset password to delegate password reset rights.

    • Property-specific, Read msDS-User-Account-Control-Computed, Read lockout Time, Write lockout Time to delegate account unlock rights.

  7. Click Next and then Finish.

    The domain account with delegated permissions can now be configured as the domain administrative account for the account unlock and automatic account maintenance features.

To configure delegation control in the domain controller for protected group accounts

  1. At a command prompt on the domain controller, type the following command to grant the domain account permission to perform account unlock.

    Note:   dc=cps and dc=com in the following commands should be changed to your domain name.

    dsacls "dc=cps,dc=com" /G "<yourDomainName>\<yourAccountName>:RP;msDS-User-Account-Control-Computed;user" /I:S
    dsacls "dc=cps,dc=com" /G "<yourDomainName>\yourAccountName>:RPWP;lockoutTime;user" /I:S 
    dsacls "CN=AdminSDHolder, CN=System, DC=cps, DC=com"  /G "<yourDomainName>\<yourAccountName>:RPWP;lockoutTime"
  2. At a command prompt on the domain controller, type the following command to grant the domain account permission to perform password reset.

    Note:   dc=cps and dc=com in the following commands should be changed to your domain name.

    dsacls "dc=cps,dc=com" /G "<yourDomainName>\<yourACcountName>:CA;Reset Password;user" /I:S 
    dsacls "CN=AdminSDHolder, CN=System, DC=cps, DC=com"  /G "<yourDomainName>\<yourAccountName>:CA;Reset Password"

It can take a while for the Security Descriptor Propagator Update (SDProp) process to pick up the new settings from AdminSDFolder. To initiate the SDProp process immediately, complete the following steps:

  1. Click Run and enter ldp.exe in the domain controller desktop Start menu.
  2. Select Connection > Connect... from the Ldp window.
  3. In the Connect window, make sure 389 is listed in the Port field, and then click OK.
  4. Select Connection > Bind... from the Ldp window.
  5. Select Bind as currently logged on user and click OK.
  6. Select Browse > Modify from the Ldp window.
  7. Configure the following fields in the Modify window:

    DN field: empty

    Attribute field: type RunProtectAdminGroupsTask

    Values field: 1

    Operation: click Add and then click Enter.

  8. Click Run.

    If you have a large environment, it may take some time for SDProp to update the protected admin group permissions.